VYPR

CWE-284

Improper Access Control

PillarIncomplete

Description

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-19 · CAPEC-441 · CAPEC-478 · CAPEC-479 · CAPEC-502 · CAPEC-503 · CAPEC-536 · CAPEC-546 · CAPEC-550 · CAPEC-551 · CAPEC-552 · CAPEC-556 · CAPEC-558 · CAPEC-562 · CAPEC-563 · CAPEC-564 · CAPEC-578

CVEs mapped to this weakness (2,700)

page 30 of 135
  • CVE-2026-42832HigMay 12, 2026
    risk 0.50cvss 7.7epss 0.00

    Improper access control in Microsoft Office allows an unauthorized attacker to perform spoofing locally.

  • CVE-2026-42205HigMay 8, 2026
    risk 0.50cvss 8.8epss 0.00

    Avo is a framework to create admin panels for Ruby on Rails apps. Prior to version 3.31.2, a broken access control vulnerability was identified in the ActionsController of the Avo framework. Due to insecure action lookup logic, an authenticated user can execute any Action class…

  • CVE-2026-42278HigMay 8, 2026
    risk 0.50cvss epss 0.00

    UltraDAG is a minimal DAG-BFT blockchain in Rust. Prior to commit fb6ef59, the UltraDAG StateEngine implementation of SmartTransferTx contains a critical logic flaw in its policy enforcement pipeline. When a transaction originates from a "Pocket" (a derived sub-address…

  • CVE-2026-41900HigMay 8, 2026
    risk 0.50cvss 8.8epss 0.01

    OpenLearnX is an open-source, decentralized learning and assessment platform. Prior to version 2.0.3, a remote code execution (RCE) vulnerability was identified in the OpenLearnX code execution environment, allowing sandbox escape and arbitrary command execution. This issue has…

  • CVE-2026-20167HigMay 6, 2026
    risk 0.50cvss 7.7epss 0.00

    A vulnerability in the web-based management interface of Cisco IoT Field Network Director could allow an authenticated, remote attacker with low privileges to cause a DoS condition on a remotely managed router. This vulnerability is due to improper error handling. An attacker…

  • CVE-2026-33318HigApr 24, 2026
    risk 0.50cvss 8.8epss 0.00

    Actual is a local-first personal finance tool. Prior to version 26.4.0, any authenticated user (including `BASIC` role) can escalate to `ADMIN` on servers migrated from password authentication to OpenID Connect. Three weaknesses combine: `POST /account/change-password` has no…

  • CVE-2026-31018HigApr 21, 2026
    risk 0.50cvss 8.8epss 0.00

    In Dolibarr ERP & CRM <= 22.0.4, PHP code detection and editing permission enforcement in the Website module is not applied consistently to all input parameters, allowing an authenticated user restricted to HTML/JavaScript editing to inject PHP code through unprotected inputs…

  • CVE-2026-39386HigApr 21, 2026
    risk 0.50cvss 8.8epss 0.00

    Neko is a a self-hosted virtual browser that runs in Docker and uses WebRTC In versions 3.0.0 through 3.0.10 and 3.1.0 through 3.1.1, any authenticated user can immediately obtain full administrative control of the entire Neko instance (member management, room settings,…

  • CVE-2026-23899HigApr 1, 2026
    risk 0.50cvss 8.8epss 0.00

    An improper access check allows unauthorized access to webservice endpoints.

  • CVE-2026-33622HigMar 26, 2026
    risk 0.50cvss 8.8epss 0.01

    PinchTab is a standalone HTTP server that gives AI agents direct control over a Chrome browser. PinchTab `v0.8.3` through `v0.8.5` allow arbitrary JavaScript execution through `POST /wait` and `POST /tabs/{id}/wait` when the request uses `fn` mode, even if…

  • CVE-2025-5962HigSep 22, 2025
    risk 0.50cvss 7.7epss 0.00

    A flaw was found in the Lightspeed history service. Insufficient access controls allow a local, unprivileged user to access and manipulate the chat history of another user on the same system. By abusing inter-process communication calls to the history service, an attacker can…

  • CVE-2025-7346HigJul 8, 2025
    risk 0.50cvss epss 0.00

    Any unauthenticated attacker can bypass the localhost restrictions posed by the application and utilize this to create arbitrary packages

  • CVE-2025-1259HigMar 4, 2025
    risk 0.50cvss 7.7epss 0.00

    On affected platforms running Arista EOS with OpenConfig configured, a gNOI request can be run when it should have been rejected. This issue can result in users retrieving data that should not have been available

  • CVE-2022-26389HigFeb 7, 2025
    risk 0.50cvss 7.7epss 0.00

    An improper access control vulnerability may allow privilege escalation.This issue affects:  * ELI 380 Resting Electrocardiograph: Versions 2.6.0 and prior;  * ELI 280/BUR280/MLBUR 280 Resting Electrocardiograph: Versions 2.3.1 and prior;  * ELI 250c/BUR 250c…

  • CVE-2025-23083HigJan 22, 2025
    risk 0.50cvss 7.7epss 0.00

    With the aid of the diagnostics_channel utility, an event can be hooked into whenever a worker thread is created. This is not limited only to workers but also exposes internal workers, where an instance of them can be fetched, and its constructor can be grabbed and reinstated…

  • CVE-2024-55954HigJan 16, 2025
    risk 0.50cvss 8.7epss 0.00

    OpenObserve is a cloud-native observability platform. A vulnerability in the user management endpoint `/api/{org_id}/users/{email_id}` allows an "Admin" role user to remove a "Root" user from the organization. This violates the intended privilege hierarchy, enabling a non-root…

  • CVE-2024-25133HigDec 31, 2024
    risk 0.50cvss 8.8epss 0.00

    A flaw was found in the Hive ClusterDeployments resource in OpenShift Dedicated. In certain conditions, this issue may allow a developer account on a Hive-enabled cluster to obtain cluster-admin privileges by executing arbitrary commands on the hive/hive-controllers pod.

  • CVE-2022-4809HigDec 28, 2022
    risk 0.50cvss 8.8epss 0.01

    Improper Access Control in GitHub repository usememos/memos prior to 0.9.1.

  • CVE-2022-4803HigDec 28, 2022
    risk 0.50cvss 8.8epss 0.01

    Authorization Bypass Through User-Controlled Key in GitHub repository usememos/memos prior to 0.9.1.

  • CVE-2022-4689HigDec 23, 2022
    risk 0.50cvss 8.8epss 0.01

    Improper Access Control in GitHub repository usememos/memos prior to 0.9.0.